Sunday, September 18, 2016

Traditionally, a debit or credit card contains magnetic stripes that
hold data necessary for performing a transaction. But, the system had
a number of security flaws. Many a times those cards used to get
compromised or forged. And, to address that concern, EMV is
developed.

What is EMV actually? How is it different from using debit or credit
cards containing magnetic stripes only? And, how does it enhance
security?

Let’s understand that in more details.

What
is EMV

EMV is a global technology standard that deals with processing of
credit and debit card payments using a card that contains a smart
chip, instead of magnetic stripes.

The word ‘EMV’ stands for Europay, MasterCard and Visa – the
three companies that originally created the standard. The standard is
now managed by EMVCo with its six member organizations – American
Express, Discover, JCB, MasterCard, UnionPay and Visa.

EMV cards use a smart chip instead of magnetic stripes to hold data
that is required to process a transaction. The smart chip is
basically a microprocessor that can run applications to perform
authentication and hold encrypted data. It can also generate a unique
code for each transaction which cannot be used for more than one
transaction and thus prevent fraud.

Why
EMV

Until the introduction of EMV cards, credit or debit cards used to
use magnetic stripes to verify a transaction. Magnetic stripes in a
card would typically contain data like card number, expiry date etc
and a signature from the cardholder used to be used to verify the
authenticity of the cardholder.

Customers would typically give the card to a clerk in the POS, who
would swipe it through a magnetic reader. Information stored in the
magnetic stripes of the card would get accessed which would verify
the account details. Then the cardholder would sign a printed slip to
verify its authenticity.

But, this system had a numb er of security flaws. Criminals can read
and write magnetic stripes with technology available in the black
market. Magnetic stripe cards can easily be cloned and used without
the user’s knowledge. Moreover, signature on the card also can be
forged. And, to address all these security flaws, EMV is used.

How
does EMV work

A payment transaction using EMV typically follows the following
steps:

After a crad is read by an appropriate device terminal, an
application is selected using which the payment is processed.
Application Identifier for an application typically consists of a
registered application provider identifier, which is issued by a
registered authority and a proprietary application identifier
extension which differentiates the different applications offered by
the application provider.

The terminal then send some commands to the card asking for a list
of functions to perform in processing the transaction. The card also
provides a list of files and records that the terminal needs to read
from the card in order to obtain data necessary for the transaction.
This list of files contain the EMV data.

Next, it is checked whether the card can be used. Information like
application version number, application usage control that specifies
whether the card is for domestic use only etc and application
expiration dates are checked. Based on these information, the
transaction can be declined later.

Next, the card is validated using public key cryptography. There can
be three types of authentication for this purpose:

Static
Data Authentication or SDA–
It ensures the data read from the card is signed by the card issuer,
which can prevent fraudulent modification of data. However, it
cannot prevent cloning.

Dynamic
Data Authentication or DDA – It can protect against
modification of data and cloning.

Combined
DDA/Application Cryptogram Generation or CDA – It
combines DDA with the generation of a card’s application
cryptogram to assure card validity.

Next, it is checked whether the person holding the card is the
legitimate cardholder. This can be done in a number of ways:

-
using Signature of the cardholder
- using a PIN
- using
PIN as well as signature

The terminal reads data from the
card to determine the type of verification it needs to perform.

Next, terminal risk management is performed to determine whether a
transaction should be authorized on-line or offline. If the
transactions ate always carried out online or always offline, this
step cam be skipped.

Next, it is checked whether a transaction should be approved
offline, sent online for authorization or declined offline.

Next, appropriate data along with the transaction amount is sent to
the card to make a decision on whether to approve or decline the
transaction.

The card generates a digital signature of the transaction. This
provides a strong cryptographic check that the card is genuine.

The card issuer then sends a response code indicating acceptance or
declination of the transaction. It can optionally send a issuer
script also. An issuer script is basically a set of commands sent by
the issuer to the card and it can be used to block cards or change
card parameters. The issue scripts are encrypted and hence, cannot
be read by the terminal.

Acceptance
of EMV

EMV has been implemented in more than 80 countries worldwide. As of
2015, 40% of US consumers have EMV cards and roughly 25% of merchants
are EMV compliant. American Express, Discover, Maestro, MasterCard
and Visa have implemented their liability shift for POS terminals.
And, by 2017 the liability shift will be implemented at various
places like pump, gas stations and ATMs.

So, let’s not debate on whether EMV can make card payments
completely secure, but this technology no doubt can prevent frauds up
to a great extent. So, be aware of various technology and stay safe,
stay secured.